#RSAC: Accessibility Clickjacking Threatens 500Mn Android Devices

Mobile malware is in the midst of a transformation from being an inconvenience to consumers to a weapon that can be used by the hacker marketplace to steal sensitive corporate data. Fresh techniques, like the accessibility clickjacking approach showcased at RSA this week, are likely to accelerate this evolution. In fact, accessibility clickjacking could open up an avenue to 500 million Android devices nearly overnight.

Clickjacking is a term for a malicious user interface redressing technique that tricks a victim into clicking on an element that is different than the one the victim believes to be clicking on.

“This technique, which relied on the ability of malicious websites to load a seemingly benign webpage with an invisible overlay from another service (attacked service), used to be a major concern in the web-application security world and yielded a variety of attacks against important services or frameworks, such as Facebook, Twitter and Flash,” explained Yair Amit, CTO and co-founder at Skycure, in a blog.

Meanwhile, accessibility services, which are applications that provide user interface enhancements to assist users with disabilities, use APIs in Android to allow access to the contents of the interfaces that a user interacts with (e.g., reading or composing an email, browsing or working on a document).

Despite this attractive trait, they aren’t a natural target for malware writers. “Android was built with the pre-ingrained understanding that accessibility services pose a clear threat to users,” Amit explained. “Consequently, in order for an Android app to gain accessibility permissions, the user has to explicitly go through a rather long and unnatural process with a security warning at the end of it. A malware that requires this process to be manually done by a victim is unlikely to get a major traction.”

However, the use of clickjacking changes all of that.

In a proof of concept (PoC) unveiled at RSA, Skycure married mobile clickjacking and accessibility. It showed a victim playing a naive “Rick and Morty” themed rat-hitting game. But what actually happens in the background is that the user’s clicks are actually propagated to an underlying and invisible layer of the operating system—the accessibility approval dialog.

“Completing the game means that the victim unknowingly approved Accessibility permissions for the ‘benign game!’” said Amit.

Later in the PoC, the victim continues using the Android device and composes an email to the CEO via the Gmail app. Every action from now on is recorded by the Rick and Morty game.

“Once accessibility has been enabled on the device, hackers can even change admin permissions,” explained Amit. “Not only that, the hacker can do so without having the victim click on anything or be aware of it happening. This can have extreme implications including [a] hacker’s ability to encrypt the device’s storage, change or disable its passcode or even wipe the device remotely.”

Bottom line? Accessibility clickjacking can allow malicious applications to access all text-based sensitive information on an infected Android device, as well as take automated actions via other apps or the operating system, without the victim’s consent. This would include all personal and work emails, SMS messages, data from messaging apps, sensitive data on business applications such as CRM software, marketing automation software and more.

“While a variety of capabilities have been implemented into web browsers and web servers in order to mitigate the risk of clickjacking, mobile still remains vulnerable and it turns out that Android is susceptible to a similar kind of a threat,” concluded Amit.